A backdoor discovered in MyCar, a smartphone app that awards old vehicles some degree of connected-car tech and capabilities, has recently been unearthed. The vulnerability, which was recently patched, enabled attackers to read telemetrics and even send commands to an unsuspecting vehicle without needing the owner's credentials.
MyCar was found to have been published with administrator credentials hard-coded into the software. This particular vulnerability, if exploited, could allow bad actors access to a particular user's account without their consent or even knowing the credentials for their vehicle. Once access is gained, the attacker could unlock the vehicle, start the engine, change the vehicle's HVAC controls, or even find the vehicle's current location.
According to sources, the application's developer, AutoMobility Distribution, had been made aware of the vulnerability as early as January and had been working to remedy the issue. It's unclear if the exploit had been used in the wild before being patched.
"Since then, all the resources at our disposal have been used to promptly address the situation, and we have fully resolved the issue." said the developer in a statement to security firm Sophos. "During this vulnerability period, no actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems."
The vulnerability was published by Carnegie Mellon's CERT Division earlier this week, where it was noted that the exploit had been patched on both iOS and Android platforms. Users on older versions of the application would need to update in order to gain functionality of their devices again, as the previous hard-coded administrator credentials were revoked in order to prevent attackers from having continued access.
The following applications all used rebranded versions of MyCar's solution and were susceptible to the attack prior to the update:
- MyCar Kia
- Visions MyCar
While this particular exploit is relatively alarming, that's nothing to what could be coming down the pike. Vehicles are becoming increasingly more connected in the name of convenience. Some automakers use connected services to send out fleet-wide over-the-air updates, while others phone home more serious data to the mothership.
In reality, cars are becoming big, moving nodes on the Internet of Things. Now, I'm not saying that you're going to be driving a weaponized missile on wheels, but, it becomes an automaker's responsibility to protect consumers from bad actors if it chooses to equip a vehicle with connected services. Participating in hack-a-thons like pwn2own help automakers find exploits before they make their way into the wild. Furthermore, using bug bounties to encourage security researchers to turn in their findings in exchange for a small bag of cash.
State actors can also pose a serious concern, whether they be foreign or domestic. Infamous whistleblower Julian Assange (who was recently arrested in London) exposed a vast hacking arsenal in 2017 which he claims was provided by a "current or former" CIA contractor. The toolkit was said to include various instruments to control IoT and mobile devices, something which raises red flags to consumers wondering just who has access to their driving data. In China, it's commonplace for automakers of connected cars to actually feed data back to a central state-controlled repository.
As more vehicles become internet-facing, it is in the best interest of both consumers and the industry for security to be taken very seriously; from OEM parts to connected aftermarket add-on accessories. And for everyone wearing tinfoil hats, it's time to start hoarding fleets of cars from today's era.